JS: Add test case with spurious call/return flow

Author: asgerf

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -34,6 +34,8 @@ typeInferenceMismatch
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:53:23:53:30 | source() | callbacks.js:58:10:58:10 | x |
 | capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
+| capture-flow.js:31:14:31:21 | source() | capture-flow.js:30:6:30:20 | confuse('safe') |
+| capture-flow.js:31:14:31:21 | source() | capture-flow.js:31:6:31:22 | confuse(source()) |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
 | closure.js:6:15:6:22 | source() | closure.js:9:8:9:25 | string.trim(taint) |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

@@ -24,6 +24,8 @@
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:53:23:53:30 | source() | callbacks.js:58:10:58:10 | x |
 | capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
+| capture-flow.js:31:14:31:21 | source() | capture-flow.js:30:6:30:20 | confuse('safe') |
+| capture-flow.js:31:14:31:21 | source() | capture-flow.js:31:6:31:22 | confuse(source()) |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |

javascript/ql/test/library-tests/TaintTracking/capture-flow.js

@@ -17,3 +17,15 @@ function outerMost() {
 }
 
 sink(outerMost()); // NOT OK - but missed
+
+function confuse(x) {
+    let captured;
+    function f() {
+        captured = x;
+    }
+    f();
+    return captured;
+}
+
+sink(confuse('safe')); // OK - but incorrectly flagged
+sink(confuse(source())); // NOT OK